I'm currently in the process of migrating from Microsoft IAS to Cisco ACS 4.2. I'm currently running an Eval of CSACS v4.2 for Windows in the Lab until I can work out the issues.
So far I've been fairly successful getting user accounts authenticated with active directory credentials using the "Windows Database" external user database. The only problem I've run into is that I can't seem to figure out how to restrict access based on Active Directory group membership.
For instance, in the lab I have a Cisco 3750 switch using RADIUS authentication tied back to the ACS server to control login access. But given my current ACS configuration everyone in the windows domain can login to the switch. How can I restrict that down to just a specific user group in Active Directory?